Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

How to Configure Private Hosts in a Cisco Catalyst 6500 switch

Configuring Private Hosts on Catalyst 6500 switch running Cisco IOS Software

1] Configure MAC-List

ROUTER#conf t

Enter configuration commands, one per line. End with CNTL/Z.

ROUTER(config)#private-hosts mac-list BRAS 0000.7777.3333

2]] Configure Private Hosts vlan-list

ROUTER(config)#private-hosts vlan-list 777,888

3] Configure Promiscuous Device

ROUTER(config)#private-hosts promiscuous BRAS vlan-list 888

4] Enable private Hosts feature globally

ROUTER(config)#private-hosts

5] Configure Vlans and Enable Private Hosts modes on the interface

ROUTER(config)#vlan 777

ROUTER(config-vlan)#exit

ROUTER(config)#vlan 888

ROUTER(config-vlan)#exit

ROUTER(config)#

ROUTER(config)#int g3/2

ROUTER(config-if)#switchport

ROUTER(config-if)#switchport trunk encapsulation dot1q

ROUTER(config-if)#switchport mode trunk

ROUTER(config-if)#switchport trunk allowed vlan 777,888

ROUTER(config-if)#access-group mode prefer port

ROUTER(config-if)#private-hosts mode isolated

ROUTER(config-if)#int g4/12

ROUTER(config-if)#switchport

ROUTER(config-if)#switchport mode trunk

ROUTER(config-if)#switchport trunk allowed vlan 888

ROUTER(config-if)#access-group mode prefer port

ROUTER(config-if)#private-hosts mode promiscuous

ROUTER(config-if)#int f1/35

ROUTER(config-if)#no sh

ROUTER(config-if)#switchport

ROUTER(config-if)#switchport trunk encapsulation d

ROUTER(config-if)#switchport mode trunk

ROUTER(config-if)#switchport trunk allowed vlan 777,888

ROUTER(config-if)#access-group mode prefer port

ROUTER(config-if)#private-hosts mode isolated

6] Verify Private Hosts feature is enabled and Redirect Index is programmed

ROUTER#sh private-hosts configuration Private hosts enabled. BR INDEX 7 All mandatory configurations configured Privated hosts vlans lists: 777,888 Privated promiscuous MAC configuration: A '*' mark behind the mac list indicates non-existant mac-list


MAC-list VLAN list


BRAS                         888

ROUTER#

7] Verify Private Hosts is enabled on all the interfaces

ROUTER#sh private-hosts interface configuration Private hosts enabled Debug Events: 0 Acl: 0 API: 0 Promiscuous interface list


GigabitEthernet4/12

Isolated interface list


FastEthernet1/35 GigabitEthernet3/2

Mixed mode interface list


ROUTER#

8] Verify that tcam redirect is programmed with Promiscuous/Mixed ports using “show tcam redirect” in SP

ROUTER#remote command switch sh tcam red

TCAM Redirect Indices

       offset: 0x7E00
       Indx 0 (0x7E00)  unique: 0 count_allocations: 0 entries: 0  Portlist:
       Indx 1 (0x7E01)  unique: 0 count_allocations: 2 entries: 0  Portlist: 15/1
       Indx 2 (0x7E02)  unique: 0 count_allocations: 2 entries: 0  Portlist: 15/1
       Indx 3 (0x7E03)  unique: 0 count_allocations: 2 entries: 0  Portlist: 15/1
       Indx 4 (0x7E04)  unique: 0 count_allocations: 2 entries: 0  Portlist:
       Indx 5 (0x7E05)  unique: 1 count_allocations: 1 entries: 0  Portlist: 15/1
       Indx 6 (0x7E06)  unique: 1 count_allocations: 1 entries: 0  Portlist: 15/1
       Indx 7 (0x7E07)  unique: 0 count_allocations: 1 entries: 1  Portlist: 4/12

ROUTER#

9] Verify TCAM entries in Isolated Ports - Traffic with Src MAC=BRAS MAC should be denied - Traffic with Destination MAC=BRAS MAC should be permitted - Broadcast traffic should be redirected - ANY OTHER TRAFFIC should be denied

ROUTER#sh tcam int g3/2 acl in other module 3

  • Global Defaults shared


Entries from Bank 0


Entries from Bank 1

   deny         other host 0000.7777.3333 any
   permit       other any 3333.0000.0000 ffff.0000.0000
   permit       other any 0100.5e00.0000 ffff.ff80.0000
   permit       other any host 0000.7777.3333
   redirect     other any host ffff.ffff.ffff
   deny         other any any

ROUTER# ROUTER#sh tcam int f1/35 acl in o ROUTER#sh tcam int f1/35 acl in other m ROUTER#sh tcam int f1/35 acl in other module 1

  • Global Defaults shared


Entries from Bank 0


Entries from Bank 1

   deny         other host 0000.7777.3333 any
   permit       other any 3333.0000.0000 ffff.0000.0000
   permit       other any 0100.5e00.0000 ffff.ff80.0000
   permit       other any host 0000.7777.3333
   redirect     other any host ffff.ffff.ffff
   deny         other any any

ROUTER#


10] Verify tcam entries in Promiscuous Port - Traffic with Source MAC=BRAS MAC should be permitted - Any other traffic should be denied

ROUTER#sh tcam int g4/12 acl in other

  • Global Defaults shared


Entries from Bank 0


Entries from Bank 1

   permit       other host 0000.7777.3333 any
   deny         other any any

ROUTER#

11] Verify that BRAS mac-address is installed with below flags: Type=Static Learn= Yes

ROUTER#sh mac-address-table | i 0000.7777

  • 888 0000.7777.3333 static Yes - <drop>

ROUTER#

Version history
Revision #:
1 of 1
Last update:
‎06-10-2009 05:06 PM
Updated by:
 
Labels (1)
Everyone's tags (2)